Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wazuh 4.8.0 vulnerability-detection #62

Open
PekkaJalonen opened this issue Jun 23, 2024 · 10 comments
Open

Wazuh 4.8.0 vulnerability-detection #62

PekkaJalonen opened this issue Jun 23, 2024 · 10 comments
Assignees
@misje

Comments

@PekkaJalonen
Copy link

Hello,

Does the connector support new vulnerability-detection in wazuh?

The latest Wazuh release creates new wazuh-states-vulnerabilities* index to which it generates findings, and the older vulnerability detector will be deprecated.
@misje
Copy link
Owner

misje commented Jun 23, 2024

I've already tested out the new vulnerability detection module, and the changes do not affect this connector. The same events are created when vulnerabilities are found and resolved in 4.8.0. The new (optional) index is not used, but it is perhaps something I will look into in the future, if it is of any use.

@misje misje self-assigned this Jun 23, 2024
@PekkaJalonen
Copy link
Author

You are fast as always, thanks for the support. I will close this issue.

@PekkaJalonen PekkaJalonen reopened this Jun 24, 2024
@PekkaJalonen
Copy link
Author

Hello, actually I think that there are some issues with this. I just tested this. Wazuh connector is only collecting vulnerabilities where vulnerability alerts are from the old vulnerability-detector. I can still get sightings from the old alerts collected before upgrade to 4.8.0. But anything collected after that with the new vulnerability detection model, does not give any results.

When I lookup one vulnerability in Wazuh 4.8.0 from the new vulnerability detection dashboard, and enrich the vulnerability in opencti, I get 0 sigthings.

@PekkaJalonen
Copy link
Author

PekkaJalonen commented Jun 24, 2024
edited
Loading

If agents are running old wazuh version, those will still report to rule.group:vulnerability-detector, but when agent are upgraded to 4.8.0, those alerts will not showup anymore, instead the data will be found from the new index only.

UPDATE: Seem that this is incorrect, new agents are generating findings and Wazuh manager still uses vulnerability-detector as location for alerts.

@misje
Copy link
Owner

misje commented Jun 24, 2024

I'm sorry, you're absolutely right. I almost don't believe that this is intentional, because now Wazuh doesn't appear to log any historical information that a vulnerability was present in a system. I created an issue about this in the Wazuh project and I hope I'm either wrong, and that this is a configuration issue, or that they realise that this is a big step back. This isn't just a bummer for this connector, but I really want to see events for when a vulnerability was present and solved, not just the current state.

In the worst case, I can add support for looking for the vulnerability data in the the index. Most features should remain intact, apart from the fact that only active vulnerabilities can be found.

@misje
Copy link
Owner

misje commented Jun 24, 2024

As you also have discovered, there are a number of issues with Wazuh 4.8.0 (the one you have filed is quite the surprising one!). There appears to be missing events for the docker module too. I think I'll be waiting for updates from Wazuh before I spend any time on workarounds for this issue.

@PekkaJalonen
Copy link
Author

PekkaJalonen commented Jun 24, 2024
edited
Loading

Understandable, it looks to be challenging even getting any answers from Wazuh. Also one big issue with vulnerability-detection is that it does not follow any grouping/labels which all other alert collection does. So you cannot trigger alerts per group of agent or grant accesses per group of agents, everything is in a single pile of machines etc. Release is a total mess!

@PekkaJalonen
Copy link
Author

Based on discussions after these changes, it looks like the vulnerability-detector is still used for alerts. What has changed is, that the machines will run a baseline line collection. For the first initial scan, no alerts will be triggered(there is an issue where they will fix this initial scan as part of release 5.0). Also, alerts for same vulnerabilities will not trigger anymore multiple times, only on changes (new, fixed etc).

The new indice wazuh-states-vulnerabilities is used for the new Vulnerability Detection dashboard.

So, basically your awesome work has not gone to waste. Still relevant even if wazuh has some shortcomings which they hopefully fix soon.

@misje
Copy link
Owner

misje commented Sep 19, 2024

I have seen some alerts since I first raised the issue, but I haven't looked into exactly what it took to make them. Your explanation makes sense. Even if I don't understand why they went this way.

Their new index is useless when what I want is to look up historical data, not just the current state. Even if it could provide some use.

It sounds like there is no need to remove the vulnerability support, then. That's good!

@misje
Copy link
Owner

misje commented Sep 19, 2024

What would be the summary of how this works in the connector?

  • Sightings of active vulnerability will work as of 5.0.0(?)
  • Sightings of resolved vulnerabilities work (i.e. just an end date as per the current version, no first seen date)
  • A sighting will only be of the first time a vulnerability was present in the system. If a user re-installs a vulnerable version, this is missed(!)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@misje misje

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@misje @PekkaJalonen